Two high-severity Denial of Service vulnerabilities discovered in Stargate, LayerZero's liquidity layer: Bug #1 exploits a Solidity quirk where try/catch statements revert when calling non-contract addresses, allowing attackers to permanently freeze message channels by targeting non-existent contracts with swap payloads; Bug #2 abuses SSTORE gas costs to create payloads exceeding the 175k gas budget allocated for cross-chain message delivery, causing out-of-gas reverts that block the entire bridge channel.
A denial-of-service vulnerability in LayerZero's ONFT (ERC721) implementation allows attackers to freeze cross-chain token transfers by passing a malicious receiver contract that exhausts gas in the onERC721Received() callback, causing the message to block indefinitely at the Endpoint level. The issue stems from NonBlockingLzApp's insufficient gas reservation (1/64 of gasLimit) to handle failed message storage when all allocated gas is consumed.